Video Screencast Help
Security Response
Showing posts in English
Zulfikar Ramzan | 15 Feb 2007 08:00:00 GMT | 0 comments

I wanted to talk about a recent new attack, called Drive-ByPharming, which I co-developed with Sid Stamm and Markus Jakobsson ofthe Indiana University School of Informatics. It allows attackers tocreate a Web page that, simply when viewed, results insubstantive configuration changes to your home broadband router orwireless access point. As a result, attackers gain complete controlover the conduit by which you surf the Web, allowing them to direct youto sites they designed (no matter what Web address you direct your Webbrowser to).

I believe this attack has serious widespread implications andaffects many millions of users worldwide. Fortunately, this attack iseasy to defend against as well. In this blog entry, I’ll describe theattack, mention some prior related work, and then go over bestpractices.

How the attack works:

I’ll start with a high-level real-world analogy of this attack.Imagine that whenever you wanted to go to your bank,...

Symantec Security Response | 14 Feb 2007 08:00:00 GMT | 0 comments

Anyone who has something to say now hasaccess to media and the means to distribute his or her message. Folkshave discovered that their fifteen minutes of fame can easily beachieved through the Internet with video clips, blogs, and vlogs(a blog that contains video). User-generated content opens the door tonew opportunities. We can learn about a day in the life of a soldier atwar, showing first hand what we have only been able to see in themovies. "Lookie loos" (or casual observers) now record events happeningin real time using only their cell phones, thus becoming amateur journalists. People are demonstrating their unique talents, effectively becoming ...

Kelly Conley | 13 Feb 2007 08:00:00 GMT | 0 comments

It seems like only yesterday I was blogging about a new spam report that Symantec Messaging and the Web Security team have published regarding the state of spam. Now, the February report is online, which gives a good overview of spam activity in January of 2007.

This issue highlights several interesting trends. While spam continues to be a high percentage of all email, there was a slight reduction of spam in January to approximately 69 percent. The technique du jour, image spam, reached a high in January, but ended the month around 30 percent. It's amazing to think that 30 percent of the total spam volume is image spam. We look at it every day, and still it continues to arrive, most notably in emails for penny stock and fake Rolex.

Have you noticed a decline in adult-oriented email lately? So have we. Once consistently in the top categories of...

Ben Greenbaum | 13 Feb 2007 08:00:00 GMT | 0 comments

Anybody remember when RTF files were just innocent little things?They were like the big brother of the .txt file, or .txt v2, if youwill. Just characters on a screen, but some of them might be differentfonts or colors or sizes – maybe the occasional clipart. Who would haveguessed they are apparently the most hostile files on the Internet thismonth? "When RTFs Go Bad!…" Okay, perhaps I’m exaggerating, but thismonth Microsoft is patching no less than three vulnerabilities, inseparate applications, that can be exploited via malicious RTF filesthat contain OLE objects.

Several of this month’s patches address issues that have beenexploited already in limited-distribution, targeted attacks. Thecombination of target-specific social engineering and privately heldvulnerability information is becoming more and more widely adopted byattackers with political and industrial motivations. While the "newbreed" of cybercriminals wants to cast as wide a net as possible, wecannot forget that...

Symantec Security Response | 12 Feb 2007 08:00:00 GMT | 0 comments

Emperor Entertainment Group: From sex photo scandal to Web site being hacked, key word: protect the data on your hard drive.

It's probably not the best way to advertise privacy protection, butit's indeed something that should ring a bell for those who leave theirportable devices unattended or unsecured.

Rumor has it that Edison Chan, the popular celebrity from Hong Kong,had data stolen from his personal laptop. Now under normalcircumstances, this would be bad enough. However, it turns out Mr. Chanhad taken hundreds of pictures and videos of over 14 female celebritiesin various states of dress and involved in various sexual acts, andstored this data on his computer. The stolen data has since spreadquickly over the Internet.

Earlier today the Emperor Entertainment Group's Web site - the groupthat several of the victims have contracts with - was hacked by someonecalling themselves "blspi" with the following message in Chinese, "Isincerely hope EEG...

Symantec Security Response | 12 Feb 2007 08:00:00 GMT | 0 comments

As I sit here looking for inspiration for my next blogpontification, I realized that I would be remiss if I didn't touch abit on Vista given Microsoft's latest announcement. If you do a searchon Vista in your browser, you’ll see plenty of material out theretouting how “secure” Vista is. But let’s face it, at the most basiclevel, Vista, in and of itself, is just another operating system. So,let’s not confuse an operating system that’s more secure with somethingthat is an actual security solution that provides real protectionagainst the breadth of computer attacks. Perhaps it's just semantics,but it does cause some confusion as illustrated by severalconversations I've been in where people I’ve talked to have made thismistake. So, let's set the record straight.

For the record, and without getting too much into the nitty-grittydetails, Vista is simply an operating system that contains a variety ofnew features that make it less readily hackable and exploitable. That’sit. Although...

Dave Cole | 09 Feb 2007 08:00:00 GMT | 0 comments

We recently hit a big milestone here at Symantec Security Response:30 VB100 awards in a row! This means that for every VB100 test forwhich we have submitted a product, we’ve detected all the threats onthe latest WildList without missing a threat and without triggering afalse positive on a clean file. For a little perspective, this streakstretches all the way back to the last century (OK, 1999) with theNovember 1999 VB100 test for Windows 98. We think this a prettyremarkable achievement in consistency and reliability.

There were a couple other notable items in the latest test, not theleast of which was that it was the first VB100 that covered Microsoft’snew Vista operating system. We were one of several security companieswho notched a win on the inaugural Vista VB100, but there were a few ofus who didn’t quite make the cut.Note that...

Kelly Conley | 08 Feb 2007 08:00:00 GMT | 0 comments

I just received a legitimate e-newsletter from a science gadget company. I'm reading along about robotic arms and hands and the use of these objects in operating rooms. I'm immersed in this email. It's pretty interesting stuff. To imagine the steps that we've made with science and technology in the past 50 years or less, is truly mind boggling. Then I get to the end. Or not.

There it is. A URL. Why is it there and where does it lead? It must have something to do with scientific gadgets. Does it take me back to the main Web site? Does it take me to another reference of robotic use in operating rooms? It isn’t the opt-out, because that URL is just above this one.

I click and it doesn't take me anywhere that I would have guessed. In fact, it is not related to science or technology at all. The URL takes me to an adult-related meds site. What is the correlation? Is there supposed to be one between readers of science newsletters and viagra? I have no idea what the...

Orla Cox | 08 Feb 2007 08:00:00 GMT | 0 comments

Today has seen another large-scale spamming of Trojan.Peacomm, aka the "Storm Trojan". With Valentine's Day approaching, this time around the authors are attempting to tug on the heartstrings of unsuspecting users with romantic subject lines such as "My Heart belongs to you" and "Together You and I". The mail body is empty and the attachments have the usual names of "Greeting Card.exe", "Postcard.exe", and "Greeting Postcard.exe".

The Trojan is much the same as we've seen before, the only difference being that the authors have used a modified packer in an (unsuccessful) effort to evade detection by AntiVirus vendors. These latest samples are proactively detected as Bloodhound.Packed.13 with Rapid Release definitions dated 02/07/2007 (revision 54). Definitions dated 02/08/2007 (revision 25) and later will...

Aaron Adams | 08 Feb 2007 08:00:00 GMT | 0 comments

The month of January is already over and, accordingly, so is the Month of Apple Bugs(MoAB). As promised, one advisory was released every day of the month,in some cases addressing numerous vulnerabilities in an application.Unlike the Month of Browser Bugs and Month of Kernel Bugs, this time we saw the interesting twist of a parallel group starting a Month of Apple Fixes.This group was responsible for the release of unofficial run-timepatches for the majority of the issues disclosed, with the exception ofthose affecting the kernel.

The classes of vulnerabilities discovered during the MoAB...